The 15 "Most Influential" People in Security Today - Really?

Date February 13, 2008

There’s probably going to be a lot of traffic on this, and although I don’t want to add to the noise, I have to rant for a second.  EWeek has just put up an article on "The 15 Most Influential People in Security Today".  My immediate thoughts?  W…T…F.

Ok, the term "Influential" could be slightly loaded (influential to who?), so this is how the list is introduced…

It’s never easy to come up with a definitive list of IT professionals with the most influence on the way we secure desktops, networks and mobile devices. And limiting the list to 15 hackers is a near-impossible task, but, in my mind, these are the folks who stand out today as stirring the imagination and forcing us to rethink our approach to security in an always-on world.

So, this is the list of 15 "hackers", with the most influence in the way we secure desktops, networks and mobile devices.  Sorry, but this list is a joke.  There’s a good few people on the list - some that I "know", some I "know of", and some I’ve never heard of in my life.  This last group worries me somewhat (am I missing an area I should be paying attention to?), but just as important, how about the people that have been left out of the list?  In no apparent (and incomplete) order, as well as going completely off-base/over the line/too controversial for most people, here’s what I think of the list

Michael Howard:  Well, pretty obvious choice there.  Lots of us rely on Microsoft’s software, and security-wise it’s been getting better and better.  Mike is one of the first to admit that it’s a team effort, but he’s clearly one of the most visible people from Microsoft and the SDL, so props to him for getting on the list.

Bronwen Matthews: Staying with Microsoft, Bronwen Matthews apparently "manages the vendor selection process for security researchers, penetration testers and expert instructors".  It’s an important job no doubt, and I’m sure that she is excellent at it, but I don’t get why it’s "influential".  Ok, Microsoft has some budget to spend on pen testing, and Ms Matthews holds the purse-strings to that account, but so do a lot of other people doing very similar jobs in other companies all around the world.  Why aren’t they on the list?

Tavis Ormandy:  Um, excuse me?  Who?  Are these supposed to be "influential people", or just people "working in security at big companies" list?  Sorry to pick on someone inparticular (I don’t know this guy, although I’m sure he’s a fine individual) but being first on the list I was expecting a little, um, "more"? Tavis has an impressive list of vulnerabilities he’s discovered, but IMHO, it’s not all that difficult to find buffer overflows in old(er) open-source code (just search for strcpy and trace the inputs back).  Good use of his employers 20% time though I suppose, although I’d much rather see him fixing more of the lots and lots and lots and lots of stupid security vulns in Google’s products.

The MOAB Hackers: These guys deserve props for showing their "month of apple bugs" in that the darlings from Cupertino aren’t all that hot when they have been saying that they have much better security than anyone else out there.  Viruses on an Apple machine - no, can’t happen, never, never, never.  If you are going to call out one of the "month of …", why not others like the "month of search engine bugs", "month of MySpace bugs", "month of PHP bugs" (scratch that - Stefan Esser is on the list - phew!), etc, etc.  Apple certainly have a lot of users, but I would argue that some of the one’s I’ve just listed, and others that I’ve not, are just as "influential" to a greater number of people.

Chris Paget: Smart, cool, and a nice guy.  However, listing Chris from IOActive and forgetting Dan, is just too much of an oversight if you ask me.

HD Moore:  Should certainly be in a list somewhere, but metasploit is getting old, and as far as I can tell, HD doesn’t actually do all that much to add to the tool any more (the iPhone additions were from some other guys, but I may very well be wrong - that’s just what I hear "out there").

John Pescatore:  From a company spend point of view, no question that he should be on the list as "influential" (for good or for bad).  "Hacker", probably not :)

Window Snyder: …

Dave Aitel: One of my "must meet" people.  I’ve used a lot of his tools, know his work, and think his book is pretty good.

All the others:  I’m sorry, who are you?  Why is what you are doing "influential" to me?  Obviously I don’t get something here, but why are people with "in prototype" hardware, someone with an electron microscope, and some guys I’ve never heard of (and I doubt you would either).

Ok, let’s look at who missed out on the list.  I’ve shortened this for brevity :)  There’s a small bias towards web security, as that’s my field, but as it’s by far the most dominant technology platform now, I’m quite happy about that.

RSnake (and Jeremiah Grossman): Ok, I link to these guys a lot, and would consider them friends as well, but seriously, why are they not on the list?  Between them, these guys have done more to move web security forward than ANYONE else out there - people on this list included. As more and more code (and vulnerabilities) are moving to the web, I think I’d consider that pretty influential.

Any of the OWASP guys perhaps?  Either the management steering team, project leaders, founders, or collaborators?

Bruce Schneier: Oh, come on!  The guy is the most read security blogger, and clearly is influential in the industry

Joanna Rutkowska:  Perhaps not "influential", but her work certainly has got people talking the the virtualization field.  As virtualization takes off, and malware gets more advanced, this is someone that’s certainly worth listening to.

I’m sure there’s others that I’m missing (that I haven’t linked to above), but this is a first stab to get something out and rant on my displeasure of this list.  I have no idea who Ryan Naraine is, but I very much doubt that he follows the security industry all that closely.  Certainly, the "Mike isn’t happy because he (or someone he favors) isn’t on the list" argument could be thrown back at me here, but "fame" (for want of a better word) is not why I’m writing this post, blogging, or doing any "community activity" - I don’t want any recognition, you just do it because you want to "give back" in some way, just like donating to charity.  It’s nice when people say "thanks", but that’s about it.

Coming up with any kind of "Top XX" list is incredibly hard, and some people are obviously not going to agree on everything, but some of the list I feel in this instance is widely off the mark.

Category Posted in Rant

5 Responses to “The 15 "Most Influential" People in Security Today - Really?”

  1. February 13th, 2008 at 10:34 pm

    Daniel said:

    As one of the old farts of OWASP, it’s good to see it listed here. We do have some amazingly talented people right now. Top lists, as you said, are damn hard to do.

  2. February 14th, 2008 at 3:43 pm

    Shoaib Yousuf said:

    I agree with your comments.

    Well said…The list put up by eweek is not influential at all….Half of the people i don’t know and never heard there name, lol

  3. March 3rd, 2008 at 7:58 am

    TK said:

    Wow… some of you are really showing your ignorance. Not knowing names like Bunnie Huang or Tavis Ormandy really only shows your lack of knowledge of the players in the security industry and the history of that research and development (not to mention some pretty major contributions by these individuals), not any fault in eWeek’s selection process…

    It is sad to me when so called security “experts” don’t even recognize some of the best names in their field…

  4. March 5th, 2008 at 8:52 pm

    Mike said:

    TK: Ok, so I suppose everyone is entitled to their opionons. I do know who Bunnie is (and really want a Chumby - they are so cool!), but I differ in that he’s one of the most “influential” people in security today - that’s my main point with this eWeek article - not the people on it who (as I’ve written above) have surely done good work. My belief, and this is purely personal, is that there are people out there that have more “impact” than some of those on this list.

    Most of the people on this list I had heard of. Tavis, I’m afraid, I had not until seeing this list. For someone that works in the web area, and uses google products and tries to find/read everything that comes out of their security group, as you say I must be doing something wrong here. I think in some ways Mat Cutts might be a better candidate.

    If you look at the comments on the original article at eweek, I think many people had “issue” with some of the people on that list. Let me re-iterate, I have no problem with the *people* themselves - they have all contributed in one way or the other. My point is in the *influential* part, and I would guess that if a good number of people who work in security (some of whom I asked before posting) dont know what they have done in the last year (and can offer alternatives), then I would say this list is flawed in some way.

  5. August 6th, 2008 at 4:20 pm

    Jim Lippard said:

    Team Cymru definitely belongs on the list. Anyone who handles security for a tier 1 network provider knows them and understands why.


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>